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Abstract. We study simple type theory with primitive equality (STT) and its first-order 
fragment EFO, which restricts equality and quantification to base types but retains lambda 
abstraction and higher-order variables. As deductive system we employ a cut-free tableau 
calculus. We consider completeness, compactness, and existence of countable models. We 
prove these properties for STT with respect to Henkin models and for EFO with respect 
to standard models. We also show that the tableau system yields a decision procedure for 
three EFO fragments. 



1. Introduction 

Church's type theory |16| is a basic formulation of higher-order logic. Henkin |18j 
found a natural class of models for which Church's Hilbert-style proof system turned out 
to be complete. Equality, originally expressed with higher-order quantification, was later 
identified as the primary primitive of the theory |19[ O [1] . In this paper we consider simple 
type theory with primitive equality but without descriptions or choice. We call this system 
STT for simple type theory. The semantics of STT is given by Henkin models with equality. 

Modern proof theory started with Gentzen's |17| invention of a cut-free sequent calcu- 
lus for first-order logic. While Gentzen proved a cut-elimination theorem for his calculus, 
Smullyan |25] found an elegant technique (abstract consistency classes) for proving the 
completeness of cut-free first-order calculi. Smullyan |25j found it advantageous to work 
with a refutation-oriented variant of Gentzen's sequent calculi [17J known as tableau cal- 
culi pm can Eg . 

The development of complete cut-free proof systems for simple type theory turned out 
to be hard. In 1953, Takeuti |30j introduced a sequent calculus for a version of simple 
type theory without primitive equality and conjectured that cut elimination holds for this 
calculus. Gentzen's |17| inductive proof of cut-elimination for first-order sequent calculi does 
not generalize to the higher-order case since instances of formulas may be more complex than 
the formula itself. Moreover, Henkin's |18] completeness proof cannot be adapted for cut- 
free systems. Takeuti's conjecture was answered positively by Tait [27J for second-order 
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logic, by Takahashi |28| and Prawitz [24J for higher-order logic without extensionality, and 
by Takahashi |29j for higher-order logic with extensionality. Building on the possible-values 
technique of Takahashi |28] and Prawitz |24| . Takeuti [31] finally proves Henkin completeness 
of a cut-free sequent calculus with extensionality. 

The first cut-elimination result for a calculus similar to Church's type theory was ob- 
tained by Andrews [2] in 1971. Andrews considers elementary type theory (Church's type 
theory without equality, extensionality, infinity, and choice) and proves that a cut-free se- 
quent calculus is complete relative to a Hilbert-style proof system. Andrews' proof employs 
both the possible- values technique |28[ 124"] and the abstract consistency technique [25] • In 
2004 Benzmiiller, Brown and Kohlhase [7J gave a completeness proof for an extensional cut- 
free sequent calculus. The constructions in [7] also employ abstract consistency and possible 
values. 

None of the cut-free calculi discussed above has equality as a primitive. Following Leib- 
niz, one can define equality of a and b to hold whenever a and b satisfy the same properties. 
While this yields equality in standard models (full function spaces), there are Henkin models 
where this is not the case as was shown by Andrews [3] . A particularly disturbing fact about 
the model Andrews constructs is that while it is extensional (indeed, it is a Henkin model), it 
does not satisfy a formula corresponding to extensionality (formulated using Leibniz equal- 
ity) . In [3] Andrews gives a definition of a general model which is essentially a Henkin model 
with equality. This notion of a general model was generalized to include non-extensional 
models in [6] and a condition called property q was explicitly included to ensure Leibniz 
equality is the same as semantic equality. The constructions of Prawitz, Takahashi, An- 
drews and Takeuti described above do not produce models guaranteed to satisfy property q. 
A similar generalization of Henkin models to non-extensional models is given by Muskens |23] 
but without a condition like property q. Muskens uses the Prawitz- Takahashi method to 
prove completeness of a cut-free sequent calculus for a formulation of elementary type theory 
via a model existence theorem, again producing a model in which Leibniz equality may not 
be the same as semantic equality. The models constructed in |6j do satisfy property q, as 
do the models constructed in [7j. 

In addition to the model-theoretic complication, defined equality also destroys the cut- 
freeness of a proof system. As shown in [81 any use of Leibniz equality to say two terms 
are equal provides for the simulation of cuto Hence calculi that define equality as Leibniz 
equality cannot claim to provide cut-free equational reasoning. In the context of resolution, 
Benzmiiller gives serious consideration to primitive equality and its relationship to Leibniz 
equality in his 1999 doctoral thesis [4] (see also (5]). The completeness proofs there are 
relative to an assumption that corresponds to cut. 

The first completeness proof for a cut-free proof system for extensional simple type 
theory with primitive equality relative to Henkin models was given by Brown in his 2004 
doctoral thesis [12] (later published as a book [13]). Brown proves the Henkin completeness 
of a novel one-sided sequent calculus with primitive equality. His model construction starts 
with Andrews' [2] non-extensional possible-values relations and then obtains a structure 
isomorphic to a Henkin model by taking a quotient with respect to a partial equivalence 
relation. Finally, abstract consistency classes \25\ [2] are used to obtain the completeness 
result. The equality-based decomposition rules of Brown's sequent calculus have common- 
alities with the unification rules of the systems of Kohlhase [22] and Benzmiiller [5]. Note, 

^From a Leibniz formula of the form Vp.ps — > pt one can easily infer u — > u for any formula u, and then 
use u as a formula introduced by cut. 
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however, that the completeness proofs of Kohlhase and Benzmiiller assume the presence of 
cut. 

In this paper we improve and simplify Brown's result |13j . For the proof system we 
switch to a cut-free tableau calculus T that employs an abstract normalization operator. 
With the normalization operator we hide the details of lambda conversion from the tableau 
calculus and most of the completeness proof. For the completeness proof we use the new 
notion of a value system to directly construct surjective Henkin models. Value systems are 
logical relations [26] providing a relational semantics for simply- typed lambda calculus. The 
inspiration for value systems came from the possible- values relations used in \V&\ [T5| I14j . 
In contrast to Henkin models, which obtain values for terms by induction on terms, value 
systems obtain values for terms by induction on types. Induction on types, which is crucial 
for our proofs, has the advantage of hiding the presence of the lambda binder. As a result, 
only a single lemma of our completeness proof deals explicitly with lambda abstractions and 
substitutions. 

Once we have established the results for STT, we turn to its first-order fragment EFO 
(for extended first-order), which restricts equality and quantification to base types but re- 
tains lambda abstraction and higher-order variables. EFO contains the usual first-order 
formulas but also contains formulas that are not first-order in the traditional sense. For in- 
stance, a formula p(\x.—>fx) is EFO even though the predicate p is applied to a A-abstraction 
and the negation appears embedded in a nontrivial way. We sharpen the results for STT by 
proving that they hold for EFO with respect to standard models and for a constrained rule 
for the universal quantifier (first published in |14|). 

Finally, we consider three decidable fragments of EFO: the lambda- free fragment, the 
pure fragment (disequations between simply typed A-terms not involving logic), and the 
Bernays-Schonfinkel-Ramsey fragment. For each of these fragments, decidability follows 
from termination of the tableau calculus for EFO (first published in |15| and |14|). 

2. Basic Definitions 

We assume a countable set of base types (/?). Types (a, r, [/,) are defined inductively: 
(1) every base type is a type; (2) if a and r are types, then <tt is a type. We assume a 
countable set of names (x, y), where every name comes with a unique type, and where for 
every type there are infinitely many names of this typeH Terms (s, t, u, v) are defined 
inductively: (1) every name is a term; (2) if s is a term of type r/i and t is a term of type 
r, then st is a term of type fj,; (3) if x is a name of type a and t is a term of type r, then 
Xx.t is a term of type err. We write s : a to say that s is a term of type a. Moreover, we 
write A (j for the set of all terms of type a. We assume that the set of types and the set of 
terms are disjoint. 

A frame is a function T> that maps every type to a nonempty set such that T>(ar) is 
a set of total functions from T>a to T>t for all types a, r (i.e., T>(ar) C (T>a — > T>t)). An 
assignment into a frame P is a function I that extends T> (i.e., T> C T) and maps every 
name x : a to an element of T>a (i.e., Tx € Va). If X is an assignment into a frame T>, 
x : a is a name, and a € T>a, then 1% denotes the assignment into T> that agrees everywhere 
with T but possibly on x where it yields a. For every frame T> we define a function " that for 



'Later we will partition names into variables and logical constants. 
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every assignment X into D yields a function X that for some terms s : a returns an element 
of Va. The definition is by induction on terms. 



Xx 


:= Xx 






X(st) 


■= fa 


if 


Is = f and It = a 


X(Xx.s) 


■=f 


if 


Xx.s : err, / G V(ar), and Va G Per: X^'s = fa 



We call X the evaluation function of X. The evaluation function may be partial since in the 
last clause of the definition even assuming there is some function / such that X^s = fa for 
every a G Va, this / may not be in V(ar). In such a case, X will not be defined on Xx.s. 
Of course, in such a case X will also not be defined on a term of the form (Xx.s)t since the 
second clause of the definition will fail. An interpretation is an assignment whose evaluation 
function is defined on all terms. An assignment X is surjective if for every type a and every 
value a G Xa there exists a term s : a such that Xs = a. 

Proposition 2.1. Let I be an interpretation, x : a, and a G la. Then X* is an interpreta- 
tion. 

Proposition 2.2. If I is a surjective interpretation, then Xa is a countable set for every 
type a. 

A standard frame is a frame V such that V(ar) = (Da —> Vt) for all types a, r. A 
standard interpretation is an assignment into a standard frame. Note that every standard 
interpretation is, in fact, an interpretation. 

We assume a normalization operator [■] that provides for lambda conversion. The nor- 
malization operator [•] must be a type preserving total function from terms to terms. We 
call [s] the normal form of s and say that s is normal if [s] = s. One possible normalization 
operator is a function that for every term s return a /^-normal term that can be obtained 
from s by /3-reduction. We will not commit to a particular normalization operator but 
state explicitly the properties we require for our results. To start, we require the following 
properties: 

Nl : [[,]] = [s] 
N2 : [[s]t] = [st] 

N3 : [xs\ . . . s n ] = x[si] . . . [s n ] if xs\ . . . s n : f3 and n > 
N4 : i[s] = Xs if X is an interpretation 

Proposition 2.3. xs\ . . . s n : (3 is normal iff si, . . . , s n are normal. 

For the proofs of Lemma 13.31 and Theorem 13.41 we need further properties of the nor- 
malization operator that can only be expressed with substitutions. A substitution is a type 
preserving partial function from names to terms. If 9 is a substitution, x is a name, and s is 
a term that has the same type as x, we write 6g for the substitution that agrees everywhere 
with 9 but possibly on x where it yields s. We assume that every substitution 9 can be 
extended to a type preserving total function 9 from terms to terms such that the following 
conditions hold: 



SI 
S2 
S3 
S4 



9x = if x G Dom 9 then 9x else x 
9(st) = (9s)(9t) 
l(9(Xx.s))t] = [6*a] 

N = M 
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Note that (the empty set) is the substitution that is undefined on every name. 

3. Value Systems 

We introduce value systems as a tool for constructing surjective interpretations. Value 
systems are logical relations inspired by the possible- values relations used in |13|. HH| [L5] . 

A value system is a function > that maps every base type f3 to a binary relation >p such 
that Dom (> / g) C and s >p a iff [s] >p a. For every value system we define by induction 
on types: 

T>a := Ran (> CT ) 

>ar ■= { (S, f) G A UT X {VcJ -)■ Vt) | V(t, a) G a : (st, fa) G T } 

Note that T>(ar) C (Dcr — > Pr) for all types err. We usually drop the type index in s \> a a 
and read s > a as s can be a or a is a possible value for s. 

Proposition 3.1. For every value system: s> a a iff [s] > a a. 

Proof. By induction on a. For base types the claim holds by the definition of value systems. 
Let a = T[x. For all s G A CT , t G A r , a G T>r — > T>[i, and b £ T>t, 

st o^j ab iff [st] > M a& iff [[s]t] >^ ab iff [s]t >^ ab 

by the inductive hypothesis and N2. Hence s t> CT a iff [s] t> a. □ 

A value system > is functional if >^ is a functional relation for every base type f3. (That 
is, for each s € A^ there is at most one b such that s > b.) 

Proposition 3.2. If> is functional, then > a is a functional relation for every type a. 

Proof By induction on a. For a = /3, the claim is trivial. Let a = T[i and s > TfJi f,g. We 
show / = g. Let a G T>t. Then t > T a for some t. Now st t> M fa,ga. By inductive hypothesis 
fa = ga. □ 

A value system > is total if x € Domt> ff for every name x : a. An assignment X is 
admissible for a value system > if la = T>a for all types a and x t> Tx for all names x. 
(Recall that is used to define T>.) Note that every total value system has admissible 
assignments. We will show that admissible assignments are interpretations that evaluate 
terms to possible values. 

Lemma 3.3. Let I be an assignment that is admissible for a value system > and 6 be a 
substitution such that 6x>Ix for all x G Dom#. Then s G DomI and 6s t> Is for every 
term s. 

Proof By induction on s. Let s be a term. Case analysis. 
s = x. The claim holds by assumption and SI. 

s = tu. Then t G DomI, 6t>It, u G DomI, and 9u\>Xu by inductive hypothesis. Thus 
s G DomZ and 9s = (6t)(6u) > {Xt){Xu) = Ts using S2. 

s = Xx.t, x : a and t : r. We need to prove s G DomI and 9s \>Xs. First we prove 

t G Doml^ and (9s)u>X^t whenever u> a a. (3-1) 
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Let uf>cr a. By inductive hypothesis we have t G DomlJ and O^t^X^t. Now [(9s)u] = 
[O^t] >X^t using S3. Using Proposition 13.11 we conclude (13. ip holds. 

By definition of Da for every a G T>a there is a u such that u > a. Using this and (|3,ip 
we know f € DomX^ for every a G Per. Let / : Per — >• Z?r be defined by fa = I^t for each 
a G Icr. For all ut> a a we have (8s)u > /o by (|3,ip . Hence 0s /. This implies / G P(ctt), 
s G Doml, Xs = f and 0s >Is as desired. □ 

Theorem 3.4. LetX be an assignment that is admissible for a value system 0. ThenX is an 
interpretation such that s>Xs for all terms s. Furthermore, X is surjective if\> is functional. 

Proof. Follows from Lemma [3. 31 with Proposition 13. 1 1 and S4. To prove the second claim, let 
a G T>o~ be given. By definition of T> there is some s such that s > a. Since s Xs we know 
Xs = a by Proposition 13.21 □ 



4. Simple Type Theory 

We now define the terms and semantics of simple type theory (STT). We fix a base 
type o for the truth values and a name -i : oo for negation. Moreover, we fix for every type 
a a name = a : aao for the identity predicate for a. An assignment X is logical iiXo = {0, 1}, 
is the negation function and X(= a ) is the identity predicate for a. We refer to the base 
types different from o as sorts, to the names -i and = a as logical constants, and to all other 
names as variables. From now on x will range over variables. Moreover, c will range over 
logical constants and a will range over sorts. 

A formula is a term of type o. We employ infix notation for formulas obtained with = a 
and often write equations s = a t without the type index. We write s ^ t for — i(s=£) and 
speak of a disequation. Note that quantified formulas Vx.s can be expressed as equations 
(Xx.s) = (Xx.x = x). 

A logical interpretation X satisfies a formula s if Xs = 1. A model of a set of formulas A 
is a logical interpretation that satisfies every formula s G A. A set of formulas is satisfiable 
if it has a model. 



5. Tableau Calculus 

We now give a deductive calculus for STT. A branch is a set of normal formulas. The 
tableau calculus T operates on finite branches and employs the rules shown in Figure [TJ The 
side condition "x fresh" of rule T FE requires that x does not occur free in the branch the 
rule is applied to. We say a branch A is closed if x, —>x G A for some variable x : o or if 
x x G A for some variable x : t. Note that A is closed if and only if either the T M at or 
Tdec rme applies with n = 0. We impose the following restrictions: 

(1) We only admit rule instances ^4/^4i . . . A n where A is not closed. 

(2) 7~ FE can only be applied to a disequation (s^i) G A if there is no variable x such that 
([sx] [tx]) G A. 

The set of refutable branches is defined inductively: if A/A\ . . . A n is an instance of a rule 
of T and A\, . . . ,A n are refutable, then A is refutable. Note that the base cases of this 
inductive definition are when n = 0. The rules where n may be are T^at and 7^ E c- 
Figure [2] shows a refutation in T ■ 
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'bq ~ j ~ /be 



s , t | —is , -it s , — it I -is , t 

S aT t S T^crr t 

% Q ; : — - U : a NORMAL T FE 7——. - X : (J FRESH 

[su\ = [tu\ [SX\ y£ [tx\ 

XSl . . . S n , — <Xti . . . t n XSl . . . S n ~/~ ca Xt\ . . . t n 

/mat ——, i 7— n>0 7d.ec ——, ; — — n>0 

Sl T h I • • • I s n T tn Si 7& h I • • • I S n J= t n 

S = a t , U^D 



CON 



s^u,t^u\s^v,t^v 
Figure 1: Tableau rules for STT 

pf, -ip(Xx.-i^fx) 
[Tmat] 

/ ^ (Ax.— fx) 
[T FB ] 
fx / -^->fx 



fx, -i-i->/a; 


->fx, ^fx 




[T-A 


-•fx 


fx 


[Tmat] 


[Tmat] 




X ^ X 


[Tdec] 


[Tdec] 



Figure 2: Tableau refuting {pf, —ip(Xx.^—ifx)} where p : (ao)o and / : ao 

A remark on the names of the rules: T UAT is called the mating rule, T DEC the decom- 
position rule, 7^on the confrontation rule, 7~ B q the Boolean equality rule, 7~ B e the Boolean 
extensionality rule, 7~ FQ the functional equality rule, and 7~ FE the functional extensionality 
rule. 

Proposition 5.1 (Soundness). Every refutable branch is unsatisfiable. 

Proof Let A/ At... A n be an instance of a rule of T such that A is satisfiable. It suffices to 
show that one of the branches A±, . . . , A n is satisfiable. Straightforward. fj 

We will show that the tableau calculus T is complete, that is, can refute every finite 
unsatisfiable branch. The rules of T are designed such that we obtain a strong completeness 
result. For practical purposes one can of course include rules that close branches including 
s, -is or s j^z s. 

To avoid redundancy, our definition of STT only covers the logical constants -i and = a . 
Adding further constants such as A, V, — >, V CT and 3 a is straightforward. In fact, all logical 
constants can be expressed with the identities = CT [lj. We have included -i since we need 
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(Xx.x) = Xx.y 
[T FQ with x] 

x = y 



[T BQ ] 







->x,-<y 


x, y 


[T FQ with -ix] 


[T FQ with -ix] 


{px 


) =o y 


(~*x 


) =0 y 


[% Q ] 


[% Q ] 




->-<x,-<y 


^x,y 


->->x,->y 


~^x,y 


\r-A 


[Tmat] 


[Tmat] 


[Tmat] 


X 








[7m at] 



Figure 3: Tableau refuting (Xx.x) = Xx.y where x,y : o 



If — i— is is in E, then s is in E. 

£ BQ If s = t is in E, then either s and t are in E" or —>s and -it are in E. 

£ BE If s t is in E, then either s and -it are in E or ->s and t are in E. 

£ FQ If s =<j T t is in E 1 , then [su] = [tu] is in E for every normal u : a. 

£ FE If s 7^ CTT £ is in E, then [sx] 7^ [tx] is in E for some variable x. 

£mat If 2^1 ■ ■ ■ s n and -ixii . . . t n are in then n > 1 and Sj 7^ is in E for 
some z £ {1, . . . , n}. Note that if n = 0, this means if -ix € -E 1 , then 
x ^ E. 

£ DE c If a^i • • • s n t^q, xti . . . t n is in then n > 1 and Sj ^ ij is in £" for 
some i E {1, . . . , n}. Note that if n = 0, this means x ^ a x £ E. 

£con If s = a t and u ^ a v are in E, 

then either s ^ u and t ^ u are in E" or s ^ t> and t ^ v are in E 1 . 

Figure 4: Evidence conditions 

it for the formulation of the tableau calculus. The refutation in Figure [3] suggests that the 
elimination of -1 is not straightforward. 

6. Evidence 

A branch E is evident if it satisfies the evidence conditions in Figure [U The evidence 
conditions correspond to the tableau rules and are designed such that every branch that is 
closed under the tableau rules is either closed or evident. We will show that evident branches 
are satisfiable. 

A branch E is complete if for every normal formula s either s or —>s is in E. The cut- 
freeness of T shows in the fact that there are many evident sets that are not complete. For 
instance, {pf, ^p(Xx.^fx), f ^ Xx.^fx, fx ^ ^fx, -<fx} is an incomplete evident branch 
if p : (00)0. 
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6.1. Discriminants. Given an evident branch E, we will construct a value system whose 
admissible logical interpretations are models of E. We start by defining the values for the 
sorts, which we call discriminants. Discriminants first appeared in |15| . 

Let E be a fixed evident branch in the following. A term u £ A a is a -discriminating in 
E if there is some term t such that either u ^ a t or t u is in E. An a- discriminant is a 
maximal set a of discriminating terms of type a such that there is no disequation s^t £ E 
such that s, t £ a. We write sjji if E contains the disequation s^t or t^s. 



In |12] a sort was interpreted using maximally compatible sets of terms of the sort 

(where s and t are compatible unless sflt). The idea is that the set E insists that certain 
terms cannot be equal, but leaves open that other terms ultimately may be identified by the 
interpretation. In particular, two compatible terms s and t may be identified by taking a 
maximally compatible set of terms containing both s and t as a value. It is not difficult to see 
that a maximally compatible set is simply the union of an a-discriminant with all terms of 
sort a that are not a-discriminating. We now find that it is clearer to use a-discriminants as 
values instead of maximally compatible sets. In particular, it is easier to count the number 
of a-discriminants, as we now show. 

Example 6.1. Suppose E = {x^y, x^z, y^z} and x,y,z : a. There are 3 a-discriminants: 



Example 6.2. Suppose E = {a n ^ a b n \ n £ N } where the a n and b n are pairwise distinct 
variables. Then E is evident and there are uncountably many a-discriminants. 

Proposition 6.3. If E contains exactly n disequations at a, then there are at most 2 n 
a-discriminants. If E contains no disequation at a, then is the only a-discriminant. 

Proposition 6.4. Let a and b be different discriminants. Then: 

(1) a and b are separated by a disequation in E, that is, there exist terms s £ a and t £ b 
such that sjft. 

(2) a and b are not connected by an equation in E, that is, there exist no terms s £ a and 
t £ b such that (s=t) £ E. 

Proof. The first claim follows by contradiction. Suppose there are no terms s £ a and t £ b 
such that s$t. Let s £ a. Then s £ b since b is a maximal set of discriminating terms. Thus 
a C b and hence a = b since a is maximal. Contradiction. 

The second claim also follows by contradiction. Suppose there is an equation (s±=S2) £ 
E such that s\ £ a and S2 £ b. By the first claim we have terms s £ a and t £ b such that 
sfjt. By f CON we have sifts or S2$t. Contradiction since a and b are discriminants. □ 

6.2. Compatibility. For our proofs we need an auxiliary notion for evident branches that 
we call compatibility. Let E be a fixed evident branch in the following. We define relations 
Ho-C A CT x A CT by induction on types: 




{x}, {y}, {z}. 



s 



o 



t 



{[a],^[t]}£E and {^[s},[t}} £ E 





We say that s and t are compatible if s \\ t. 
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Lemma 6.5 (Compatibility). 

For n > and all terms s, t, xs% . . . s n , xt\ . . . t n of type a: 

(1) We do not have both s \\ a t and [s]$[t]. 

(2) Either xs\ . . . s n \\ a xt\ . . . t n or [sjjjfti] for some i G {1, . . . , n}. 

Proof. By induction on a. Case analysis. 

a = o. Claim (1) follows with £ BE . Claim (2) follows with N3 and £ M at- 
a = a. Claim (1) is trivial. Claim (2) follows with N3 and £ DEC - 

a = t\i. We show (1) by contradiction. Suppose s \\ a t and [s]Jj[i]. By f FE [[s]x]ft[[£]x] for 
some variable x. By inductive hypothesis (2) we have x \\ T x. Hence sx |L tx. Contradiction 
by inductive hypothesis (1) and N2. 

To show (2), suppose xs± . . . s n $ a xt\ . . . t n . Then there exist terms such that u || T v 
and xsi . . . s n u xt\ . . . t n v. By inductive hypothesis (1) we know that does not 

hold. Hence for some i S {1, . . . ,n} by inductive hypothesis (2). □ 



7. Model Existence 
Let E be a fixed evident branch. We define a value system > for E: 
s> o sGA and [s] £ E 

s>„l :<^=> s G A G and —>[s] ^ E 

s> a o :<^=^> s G A a , a is an a-discriminant, and [s] £ a if [s] is discriminating 
Note that Nl ensures the property s >g a iff [s] >g a. 

Proposition 7.1. For all variables x Q , either x > and —\x 1 or x > 1 anc? -ix > 0. in 
particular, T>o = {0, 1}. 

Proof. By £ MA t either x £ E ox (jz E. If x £ E, then x > and -ix > 1 by N3 and If 
-ix ^ £/, then x > 1 and ->x > by N3. □ 

Lemma 7.2. A logical assignment is a model of E if it is admissible for>. 

Proof. Let I be a logical assignment that is admissible for >, and let s £ E. By Theorem 13.41 
we know that I is an interpretation and that s l> Is. Thus Is 7^ since s £ E. Hence 

is = 1. □ 

It remains to show that > admits logical interpretations. First we show that all sets Da 
are nonempty. To do so, we prove that compatible equi-typed terms have a common value. 
A set T of equi-typed terms is compatible if s || t for all terms s,t G T. We write T > a a if 
T C A(j, a G XV, and t > a for every t G T. 

Lemma 7.3 (Common Value). Lei T C A CT . XYien T is compatible if and only if there exists 
a value a such that T \> a a. 

Proof. By induction on a. 

a = a, =>. Let T be compatible. Then there exists an a-discriminant a that contains all 
the a-discriminating terms in { [t] | t G T }. Clearly, T > a. 

a = a, <=. Suppose T > a and T is not compatible. Then there are terms s,t G T such that 
(M^M) ^ -E 1 - Thus [s] and [f] cannot be both in a. This contradicts s,t G Too, since [s] 
and [i] are discriminating. 
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c7 = o, =>. By contraposition. Suppose T tf> and T tf> 1. Then there are terms s,t E T 
such that [s], —>[t] G E. Thus s ift t. Hence T is not compatible. 

(7 = o, -<=. By contraposition. Suppose s $ t for s, t G T. Then [s], ~>[t] G E without loss of 
generality. Hence s $ and f ^ 1. Thus T ^ and T ft 1. 

(T = r/i, =4>. Let T be compatible. We define T a := {is \ t G T, s > T a} for every value 
a G It and show that T a is compatible. Let ti,i2 G T and si,S2 > r a- It suffices to show 
^l-Si || t2S2- By the inductive hypothesis s\ || T S2- Since T is compatible, ti || £2- Hence 
hsi || t 2 S2- 

By the inductive hypothesis we now know that for every a G It there is a b G Z/j, such 
that T a M 6. Hence there is a function / G la such that T a > M fa for every a G It. Thus 

o~ = Tfi, <=. Let T > a f and s,i G T. We show s \\ a t. Let u || T v. It suffices to show 
su ||p to. By the inductive hypothesis u,v> T a for some value a. Hence su,tv >« /a. Thus 
sti ||p to by the inductive hypothesis. □ 

Lemma 7.4 (Admissibility). For every variable x : a there is some a G Da such that x\>a. 
In particular, Da is a nonempty set for every type a. 

Proof. Let x : a be a variable. By Lemma f 6 . 5 1 T 2 ) we know x \\ a x. Hence {x} is compatible. 
By Lemma 17.31 there exists a value a such that x t> CT a. The claim follows since a G Da by 
definition of Da. □ 

Lemma 7.5 (Functionality). If s > a a, t > a b, and (s=t) G E , then a = b. 

Proof. By contradiction and induction on a. Assume sf> a a, t > a b, (s=t) G E, and a ^ b. 
Case analysis. 

a = o. By £ BQ either s, t G E or ->s, -it G -E. Hence a and b are either both 1 or both 0. 
Contradiction. 

a = a. Since a ^ b, there must be discriminating terms of type a. Since (s=t) G E, we 
know by N3 and f CON that s and t are normal and discriminating. Hence s G a and t £ b. 
Contradiction by Proposition 16.41 (2). 

a = Tfi. Since a ^ b, there is some c G XV such that ac ^ be. By the definition of Dt 
and Lemma 13.11 there is a normal term u such that u T c. Hence stt > ac and to > be. By 
Proposition ^, II [s-u] > r ac and [tu]\>^bc. By £ FQ the equation [su] = [tu] is in E. Contradiction 
by the inductive hypothesis. □ 

We now define the canonical interpretations for the logical constants: 

£(->) := Xa€zDo. if a=l then else 1 

C(= a ) := \a£Da. Xb^Da. if a=b then 1 else 

Lemma 7.6 (Logical Constants). ci>£(c) for every logical constant c. 

Proof. We show — >> J C( — >) by contradiction. Let s> a and assume -is ft C(—i)a. Case analysis. 

• a = 0. Then [s] ^ and -, [ _, s] G E. Contradiction by N3 and 

• a = 1. Then -i[s] ^ -E and [-is] G E. Contradiction by N3. 

Finally, we show (= CT ) > £(=„•) by contradiction. Let s>,j a, t > a b, and (s= a t) ft C{= a )ab. 
Case analysis. 

• a = b. Then [s]JJ[i] by N3 and s,i > a. Thus s || t by Lemma 17.31 Contradiction by 
Lemma 16.51 (1). 
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• a ^ b. Then ([s]=[i]) £ E by N3. Hence a = b by Proposition 13.11 and Lemma 17.51 
Contradiction. □ 

Theorem 7.7 (Model Existence). Every evident branch is satisfiable. Moreover, every 
complete evident branch has a surjective model, and every finite evident branch has a finite 
model. 

Proof. Let E be an evident branch and > be the value system for E. By Proposition 17.11 
Lemma I7.4[ and Lemma 17.61 we have a logical interpretation X that is admissible for >. By 
Lemma [7.21 1 is a model of E. 

Let E be complete. By Theorem 13.41 we know that I is surjective if is functional. Let 
st>p a and s>p b. We show a = b. By Proposition 13. 1 1 we can assume that s is normal. Thus 
s=s is normal by N3. Since I is a model of E, we know that the formula s^s is not in E. 
Since E is complete, we know that s=s is in E. By Lemma 17.51 we have a = b. 

If E is finite, Xa = T>a is finite by Proposition 16.31 □ 



8. Abstract Consistency 

We now extend the model existence result for evident branches to abstract consistency 
classes, following the corresponding development for first-order logic |25| . Notions of abstract 
consistency for simple type theory have been previously considered in [21 [211 1221 SI O El El 
[121 113) . Equality was treated as Leibniz equality in [2j. Abstract consistency conditions 
for primitive equality corresponding to reflexivity and substutivity properties were given by 
Benzmiiller in [H [5] . A primitive identity predicate = a was considered in [6] but the abstract 
consistency conditions for = a essentially reduced it to Leibniz equality. Conditions for = a 
analogous to C CON first appeared in [12] . 

An abstract consistency class is a set T of branches such that every branch A £ T satisfies 
the conditions in Figure [5] An abstract consistency class T is complete if for every branch 
A £ r and every normal formula s either A U {s} or A U {^s} is in T. The completeness 
condition was called "saturation" in [6|. As discussed in [8] and the conclusion of |6j, the 
condition corresponds to having a cut rule in a calculus. In [7] conditions analogous to C DEC 
and C MAT appear (using Leibniz equality) and a model existence theorem is proven with 
these conditions replacing saturation. The use of Leibniz equality means that there was still 
not a cut-free treatment of equality in [7]. 

Proposition 8.1. Let A be a branch. Then A is evident if and only if {A} is an abstract 
consistency class. Moreover, A is a complete evident branch if and only if {A} is a complete 
abstract consistency class. 

Lemma 8.2 (Extension Lemma). Let T be an abstract consistency class and A £ T. Then 
there exists an evident branch E such that A C E. Moreover, if T is complete, a complete 
evident branch E exists such that ACE. 

Proof. Let Uq, Ui, u%, . . . be an enumeration of all normal formulas. We construct a sequence 
A$ C. A\ C. A% C. ■ ■ ■ of branches such that every A n £ T. Let Aq := A. We define A n+ i 
by cases. If there is no B £ T such that A n U {u n } C B, then let ^4 n +i := A n . Otherwise, 
choose some B £ T such that A n U {u n } C B. We consider two subcases. 

(1) If u n is of the form s ^ UT t, then choose A n+ i to be B U {[sx] 7^ [tx]} £ T for some 
variable x. This is possible since T satisfies C FE . 
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C-,-, If — i — is is in A, then A U {s} is in T. 

C BQ If s = t is in A, then either A U {s, i} or 4 U {"'S, —>t} is in T. 

C BE If s t is in A, then either A U {s, -it} or A U {-'S, t} is in V. 

C FQ If s = ar t is in A, 

then A U {[su] / [tu]} is in T for every normal u : a. 

C FE If s y^ aT t is in A, then ^4 U {[sx] / [tx]} is in T for some variable x. 

C MAT If xsi . . . s n is in ^4 and -ixti ... t n is in A, 

then n > 1 and ^4 U {sj / U} is in T for some i G {1, . . . , n}. 

C DEC If xsi . . . s n t^q, xti . . . t n is in A, then n > 1 and ^4 U {sj 7^ tj} is in T 
for some z G {1, . . . , n}. 

Ccon If s =a t an d it T^a "V are in A, 

then either A U {s ^ u, t ^ u} or A U {s ^ v , t ^ v} is in T . 

Figure 5: Abstract consistency conditions (must hold for every A G T) 

(2) If u n is not of this form, then let A n+ \ be B. 

Let E* := A,. We show that E satisfies the evidence conditions. 



nSN 

Assume — 1— is is in E. Let n be such that u n = s. Let r > n be such that — ■— >s is in 
A r . By C_,_,, A r U {s} G T. Since A n U {s} C A r U {s}, we have s G A n+ i C £\ 

<?mat Assume xs\ . . . s n and -*xt\ . . . t n are in E. For each i G {1, . . . , n}, let ra; be such 
that is Sj 7= tj. Let r > mi, . . . , m n be such that xsi . . . s n and -ixti . . . t n are in 
A r . By C MAT n > 1 and there is some i G {1, . . . , n} such that ^4 r U {sj 7= tj} G T. 
Since A mi U {si 7^ U} C A r U {si / U}, we have (s; / tj) G A mi+ i C E. 

£ DBC Similar to £ MAT 

Scon Assume s = a t and u t= q v are in E. Let n,m,j,k be such that u n is s 7^ u, u m 
is t / u, is s / v and Uk is t 7^ v. Let r > n,m,j, k be such that s = a t and 
u /a w are in A r . By C CON either A r U {s 7^ u, t 7^ u} or A r U {s 7^ t> , t 7^ w} is in 
T. Assume yl r U {s 7^ t 7^ u} is in T. Since A n U {s 7^ n} C A r U {s 7^ u, t 7^ u}, 
we have s 7= u G A n +i ^ E 1 . Since ^4 m U{t / u} C 4 r u{s / u,t / n}, we have 
t/«£ ^4 m +i ^ E 1 . Next assume ^4 r U {s 7^ u, t 7^ w} is in T. By a similar argument 
we know s/u and t / t) must be in E. 
£ BQ Assume s = Q t is in E. Let n,m,j,k be such that u n = s, u m = t, Uj = -is and 
Ufc = -it. Let r > n, m,j, k be such that s = Q t is in A. By C BQ either A r U {s, t} or 
A r U {-is, -it} is in V. Assume A r U {s, t} is in T. Since ^4 n U {s} C A r U {s, t}, we have 
s (z E. Since U {t} Ci r U {s, t}, we have t £ E. Next assume A r U {-is, -it} is in 
T. Since Aj U {-is} C A r U {-is, -it}, we have -.s G i?. Since A fc U {-.t} C A r U {-is, -it}, 
we have -it G E. 
£ BE Similar to £ BQ 

£ FQ Assume s = UT t is in E and u : a is normal. Let n be such that u n is [su] = T [tu]. 
Let r > n be such that s = UT t is in yl r . By C FQ we know ^4 r U {[su] = T [tu]} is in T. 
Hence [su] = T [tu] is in A n+ \ and also in E. 
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£ FE Assume s t^o-t t is in E. Let n be such that u n is s ^ aT t. Let r > n be such that 
s ^ aT t is in A r . Since A„ U {u n } C A r , there is some variable x such that [sx] t~t [tx] 
is in A n+ i C E 1 . 

It remains to show that E is complete if T is complete. Let T be complete and s be a normal 
formula. We show that s or -is is in E. Let m, n be such that u m = s and u n = -is. We 
consider m < n. (The case m > n is symmetric.) If s £ we have s & E. If s ^ j4 n , then 
A n U {s} is not in V. Hence A n U {-is} is in T since T is complete. Hence -is € A n+ i C £\ □ 

Theorem 8.3 (Model Existence). Every member of an abstract consistency class has a 
model, which is surjective if the consistency class is complete. 

Proof. Let A € T where T is an abstract consistency class. By Lemma 18.21 we have an 
evident set E such that A C E, where E is complete if T is complete. The claim follows 
with Theorem 17.71 □ 



9. Completeness 

It is now straightforward to prove the completeness of the tableau calculus T ■ Let r-7- 
be the set of all finite branches that are not refutable. 

Lemma 9.1. Tj- is an abstract consistency class. 

Proof. We have to show that Tj- satisfies the abstract consistency conditions. 

Assume — 1 — is is in A and A U {s} ^ r-7-. Then we can refute A using 7~-,-,. 
C M at Assume {xs± . . . s n , —>xti . . . t n } C A and A U {sj 7= t{\ ^ Tj- for all i 6 {1, . . . , n}. 

Then we can refute A using 7mat- 
C DEC Assume xs\ . . . s n ^ a xt\ . . . t n is in A and A U {si 7^ tj} ^ Tj- for all i £ {1, . . . , n}. 

Then we can refute A using T DE c- 
C CON Assume s = a t and u 7^ v are in A but A U {s 7^ u, t 7^ u} and ^4 U {s 7^ t 7^ t> } are 

not in Tj-. Then we can refute A using 7^on- 
C BQ Assume s = t is in A, A U {s, t} Tj- and ^4 U {-is, -it} ^ r-7-. Then we can refute A 

using T BQ - 

C BE Assume s ^ a t is in A, A U {s, -it} ^ Tj- and A U {^s, t} £ Tj-. Then we can refute A 
using T BE - 

C FQ Let (s =(j r t) € A E Tj-. Suppose A U {[su] = [tu]} ^ for some normal u € A CT . 
Then A U {[su] = [tu]} is refutable and so A is refutable by T FQ . 

C FE Let (s^ aT t) € A € Fy. Suppose A U { [sx] 7^ [tx] } ^ for every variable x : a. Then 
A U { [sx] 7= [tx] } is refutable for every x : a. Hence A is refutable using T FE an d the 
finiteness of A. Contradiction. □ 

Theorem 9.2 (Completeness). Every unsatisfiable finite branch is refutable. 

Proof. By contradiction. Let A be an unsatisfiable finite branch that is not refutable. Then 
A € Tj- and hence A is satisfiable by Lemma 19.11 and Theorem 18.31 Contradiction. □ 
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10. Compactness and Countable Models 

It is known \18\ Q] that simple type theory is compact and has the countable-model 
property. We use the opportunity and show how these properties follow with the results we 
already have. It is only for the existence of countable models that we make use of complete 
evident sets and complete abstract consistency classes. 

A branch A is sufficiently pure if for every type a there are infinitely many variables of 
type a that do not occur free in the formulas of A. Let Tq be the set of all sufficiently pure 
branches A such that every finite subset of A is satisfiable. We write Cf for the finite subset 
relation. 

Lemma 10.1. Let A E Tq and Bi,..., B n be finite branches such that A U Bi ^ Tq for all 
i E {1, . . . ,n}. Then there exists a finite branch A' Cj A such that A' U Bi is unsatisfiable 
for all i E {1, . . . , n}. 

Proof By the assumption, we have for every i E {1, . . . , n} a finite and unsatisfiable branch 
d C A U Bi. The branch A' := (C\ U ■ • ■ U C n ) n A satisfies the claim. □ 

Lemma 10.2. Tq is a complete abstract consistency class. 

Proof. We verify the abstract consistency conditions using Lemma 111). II tacitly. 
C-,-, Assume — i — is is in A and A U {s} ^ Tq. There is some A' Cf A such that A' U {s} is 
unsatisfiable. There is a model of A' U Cf A. This is also a model of A' U {s}, 

contradicting our choice of A'. 
C M at Assume xs\ . . . s n and -^xt\...t n are in A and A U {si 7^ t{\ £ Tq for all i E 
{1, . . . , re}. There is some A' Cf A such that A' U {si 7^ t{\ is unsatisfiable for all 
i E {1, . . . , n}. There is a model X of A' U {xs± . . . s n , —>xti . . . t n } Cf A. Since 
I(xs\ . . . s n ) T(xt\ . . . t n ), we must have X(sj) 7^ X(fj) for some i E {1, . . . , n} (and 
in particular n must not be 0). Thus X models A'L){si 7^ ti}, contradicting our choice 
of A'. 
C-dec Similar to (Jmat 

C CON Assume s = a t and u 7^ v are in A, AU {s / u,t / «} ^ Tq and ^4 U {s 7^ u, f 7^ 
^ T c . There is some A' C f A such that A'u{s/n,t/u} and A' li {s v,t ^ v} 
are unsatisfiable. There is a model I of A' U {s = t, u 7^ v } Cf A Since X(s) = X(f) 
and X(u) 7^ we either have X(s) 7^ X(u) and X(f) 7^ X(u) or X(s) 7^ X(i;) and 

X(f) 7^ i(v). Hence X models either A' U {s / a,t / a) or A' U {s / w,i / v}, 
contradicting our choice of A'. 

C BQ Assume s = Q t is in A, A U {s,t} £ Tq and A U {->s, ->f} ^ Tq- There is some 
A' Cf ^4 such that A' U {s, f } and A' U {-is, -if} are unsatisfiable. There is a model of 
A 1 U {s = t} C f A. This is also a model of A' U {s, f} or A' U {-is, -if}. 

C BE Assume s 7^ t is in A, A U {s, -if} ^ Tc and ^4 U {->s,f} ^ Tc- There is some 
A' Cf A such that A 1 U {s, -if} and A' U {->s, f} are unsatisfiable. There is a model of 
A' U {s 7^ f } C f A. This is also a model of A' U {s, -if} or A' U {->s, f }. 

C FQ Assume s = aT t is in A but A U { [sit] = T [f u] } is not in Tq for some normal u E A CT . 
There is some A' Cf ^4 such that A' U {[su] = [tu]} is unsatisfiable. There is a model 
X of A' U {s = f} Cf A. Since X(s) = X(f), we know T([su]) = T(su) = l(s)X(u) = 
l(t)l(u) = l(tu) = X(M) using N4. Hence X is a model of A' U {[su] = [tu]}, a 
contradiction. 
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C FE Assume s i^ UT t is in A. Since A is sufficiently pure, there is a variable x : a which 
does not occur in A. Assume A U {[sx] 7^ [tx]} ^ Tq. There is some A' C f A such 
that A' U {[sx] 7^ [tx]} is unsatisfiable. There is a model I of A' U {s / t} Qf A. 
Since Z(s) 7^ Z(t), there must be some a £ Za such that Z(s)a 7^ Z(t)a. Since 
x does not occur free in A, we know Z*{sx) 7^ Z*{tx) and is a model of A'. 
Since 2J([sx]) = Z^(sx) and = Z%(tx) by N4, we conclude is a model of 

A' U {[sx] 7^ [ix]}, contradicting our choice of A' . 

We show the completeness of Tq by contradiction. Let A € Tc and s be a normal formula 
such that AL) {s} and Au {^s} are not in Tq. Then there exists A' C f A such that A' U {s} 
and A' U {-■s} are unsatisfiable. Contradiction since A' is satisfiable. □ 

Theorem 10.3. Let A be a branch such that every finite subset of A is satisfiable. Then A 
has a countable model. 

Proof. Without loss of generality we assume A is sufficiently pure. Then A £ Tq- Hence A 
has a countable model by Lemma 110.21 and Theorem 18.31 □ 

11. EFO Fragment 

We now turn to the EFO fragment of STT as first reported in |14j . The EFO fragment 
contains first-order logic and enjoys the usual properties of first-order logic. We will show 
completeness and compactness with respect to standard models. We will also prove that 
countable models for evident EFO sets exist. 

Suppose STT were given with -1, — >•, = a and V CT . Then the natural definition of EFO 
would restrict = a and V CT to the case where a is a base type. To avoid redundancy our 
definition of EFO will also exclude the case where a = o. 

Our definition of EFO assumes the logical constants -1 : 00, — >: 000, = a : aao and 
Vq, : {ao)o where a ranges over sorts. We call these constants EFO constants. For an 
assignment to be logical we require that it interprets the logical constants as usual. In 
particular, X(V a ) must be the function returning 1 iff its argument is the constant 1 function. 

We say a term is EFO if it only contains the logical constants -1, = a and V Q . Let 
EFO a be the set of EFO terms of type a. A term is quasi-EFO if it is EFO or of the form 
s T^o- t where s, t are EFO and a is a type. A branch E is EFO if every member of E is 
quasi-EFO. The example tableau shown in Figure [2] only contains EFO branches. 

The tableau rules in Figure [6] define a tableau calculus T for EFO branches up to 
restrictions on applicability given in Section Q3J After showing a model existence theorem, 
we will precisely define the tableau calculus J- and prove it is complete for EFO branches. 
The completeness result will be with respect to standard models. For some fragments of 
EFO the tableau calculus T will terminate, yielding decidability results. 

12. EFO Evidence and Compatibility 

We say an EFO branch E is evident if it satisfies the evidence conditions in Figure |4] 
and the following additional conditions. 
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—i— IS S t S — >■ t ->(s — > t) 

T 77 '_ jr 77 _^ '_ 

-i^ •'BE .1 ^ — > 1 -1— > 

s s , -it I -is , t -is I t s , -it 

XSl . . . S n , ~~ iXtl . . . t n XS\ . . . s n ^ a xt\ . . . t n 

•F mat ; 1 1 ; Tl > DEC ; ; ; ; - n>0 

S\ ^ h \ ■ ■ ■ \ Sn T tn Si ± tl [ • • • I S n ^ t n 

S ^crr t S — a t , U V 
F FE - — : — — — - x : a FRESH T ai 



[sx] 7^ [tx] ' s^u,t^u\s^v,t^v 

V a s -i\/ a s 

Jy 7 7 U e EFO a NORMAL J"-^ — : 7 X \ a FRESH 

[su\ -i[sx\ 
Figure 6: Tableau rules for EFO 

If s — > t is in E, then ->s or t is in E. 
£-,-> If -i(s —> t) is in E, then s and -it are in E. 

£y If V a s is i n E, then [su] is in E for every a-discriminating u in E. 

£® If V a s is in E, then [su] is in E for some normal EFO term u : a. 
£_,V If -iV a s is in E 1 , then -i[si] is in E for some variable x. 

We say an EFO branch E is EFO- complete if for all normal s G EFO Q either s € E oi 
G £. 

The condition £y is the usual condition for universal quantifiers with instantiations 
restricted to a-discriminating terms. Since there may be no a-discriminating terms in E, 
we also include the condition £® to ensure that at least one instantiation has been made. 
Without the condition £y, the set {V a x.—i(y — > y)} would be evident. 

Let E be an evident EFO branch. Compatibility can be defined exactly as in Section 1531 
and Lemma [6 . 5 1 holds . In the proof of Lemma [13.81 below . we will need to know that if E has 
some a-discriminating term, then all a-discriminants are nonempty. Since a-discriminants 
are maximal sets of a-discriminating terms, it is enough to prove every a-discriminating 
term is compatible with itself. To be concrete, we must prove s ^ a s is never in E. One 
way we could ensure this is to include it as an evidence condition and have a corresponding 
tableau rule of the form: 

_ s s 
^ 

This was the choice taken in [14] . One drawback to including the rule Jy in the ground 
calculus is that a lifting lemma will be more difficult to show when one passes to a calculus 
with variables. 

Another alternative is to remove the restriction on instantiations in the rule Jy. If we do 
not restrict Jy to discriminating terms, then we can show the existence of a model without 
knowing a priori that a-discriminants are nonempty in the presence of a-discriminating 
terms. 
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In order to obtain a strong completeness result, we will not follow either of these alter- 
natives. Instead we prove that all terms are compatible with themselves. First we prove 
EFO constants are compatible with themselves. 

Lemma 12.1. For every EFO constant c, c \\ c. 

Proof. Case analysis, -i || -i follows from N3 and — >-||— > follows from N3, £_> and 
=a||=« follows from N3 and £ C on- We show \/ a || \/ a . Let s \\ ao t be given. Assume Vs Vt. 
Without loss of generality, assume [Vs] and — >[Vt] are in E. By S-,\/ we have -, [tx] in E for 
some variable x : a. By fy we have [su] in E for some normal EFO term u. Since su i/f tx, 
we must have u i/( a x. In particular, x must be an a-discriminating term. By £y we have 
[sx] is in E. Hence we must have x j/( a x, contradicting Lemma 16.51 (2). □ 

Next we prove compatibility respects normalization. 

Lemma 12.2. For all s,t : a, s \\ a t iff [s] \\ a [t]. 

Proof. Induction on types. At base types this follows from Nl and the definition of compat- 
ibility. Assume a is t\i. Let u \\ T v. By N2 and the inductive hypothesis (twice) we have 
su || tv iff [su] || [tv] iff [[s]u] || [[t]v] iff [s]u \\ [t]v. Hence s \\ t iff [s] \\ [t]. □ 

For two substitutions and <f> we write 9 || <j) when Dova.9 = Dome/;, Ox \\ <px for every 
variable x 6 Dom^ and 0c \\ 4>c for every EFO constant c € Dom#. 

Lemma 12.3. For all s G EFO a , if \\ <f), then 0s \\ <fis. 
Proof. By induction on s. Case analysis. 

s is a variable or an EFO constant in Dom#. The claim follows from \\ 4> an d SI. 
s is a variable not in Dom#. The claim follows from SI and Lemma [6.51 (2) . 
s is an EFO constant not in Dom0. The claim follows from SI and Lemma 112.11 
s = tu. By inductive hypothesis 0t \\ (fit and 0u \\ (fiu. Hence 0(tu) \\ <f>(tu) using S2. 

s = Xx.t where x : a. Let u || v be given. We will prove (0s)u \\ {cfis)v. Using Lemma 112.21 
and S3 it is enough to prove 0^t \\ (fi%t. This is the inductive hypothesis with 0* and (fiy. □ 

Lemma 12.4. For all s G EFO a , s \\ s. 

Proof. By Lemma [12.31 we have 0s || 0s. We conclude s || s using Lemma [12.21 and S4. □ 

We can now prove a-discriminants are nonempty if E has some a-discriminating term. 

Lemma 12.5. // a is an a- discriminant and E has an a- discriminating term, then a is 
nonempty. 

Proof. Let s be a-discriminating. We know s || s by Lemma 112.41 and so {s} is compatible. 
If a is empty, then a U {s} is compatible, contradicting maximality of a. □ 
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13. EFO Model Construction 
Let E be an evident EFO branch. We inductively define a standard frame T>. 

Vo= {0,1} 

T>a = {a\a is an a-discriminant} 
V(ot) = Va -> Vt 

We define a value system > as for STT, but extend it to higher types using full function 
spaces. 

s > :<^=> s G A D and [s] £ E 
s > 1 s G A D and -i[s] ^ -E 1 

s > Q a s G A Q , a is an a-discriminant, and [s] G a if [s] is discriminating 

>ar ■= { (S, /) G Aar X (Pff -> Vt) \ V(t, a) G > CT : (st, /a) G > T } 

In spite of the slightly different construction, many of the previous results still hold with 
essentially the same proofs as before. 

Proposition 13.1. s> a a iff [s] > a a. 

Proof. Similar to Proposition 13.11 □ 

Lemma 13.2. Let I be an assignment into T> such that x \>Xx for all names x and 6 be 
a substitution such that Ox >Ix for all x G Dom#. Then s G DomI and 6s >Is for every 
term s. 

Proof. Similar to Lemma 13.31 □ 

Theorem 13.3. Let I be an assignment into T> such that x \>Xx for all names x. Then T 
is an interpretation such that sols for all terms s. 

Proof. Follows from Proposition 113.11 Lemma 113.21 and property S4. □ 

Lemma 13.4. A logical assignment T is a model of E if x >Ix for every name x. 

Proof. Similar to Lemma 17.21 using Theorem 113.31 □ 

Lemma 13.5 (Common Value). Let T C A CT . Then T is compatible if and only if there 
exists a value a such that T CT a. 

Proof. Similar to Lemma 17.31 □ 
Lemma 13.6 (Admissibility). For every variable x : a there is some a G T>a such that x\>a. 

Proof. Similar to Lemma 17.41 using Lemma [6.51 and Lemma 113.51 □ 
Lemma 13.7 (Functionality). If s > a a, t > a b, and (s=t) G E , then a = b. 

Proof. Similar to Lemma 17.51 restricted only to sorts. □ 
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As before C(c) is the canonical interpretation for each logical constant c. We now have 
the additional logical constants — > and \/ a : 

£(-).) : = XaeVo. XbeDo. if a=l then b else 1 

C(y a ) ■= XfeVa -> Do. if / = (Ax G Da. 1) then 1 else 

Lemma 13.8 (Logical Constants). c\> C{c) for every logical constant c. 

Proof. Similar to Lemma 17,61 The proof for -i is the same. The proof for — > uses N3, 
£_> and The proof for = a requires a slight modification. Assume s \> a a, t > a b, and 

(s= a t) tf> C(=a)ab. Case analysis. 

• a = b. Use Lemmas 113.51 and 16.51 (1). 

• a 7^ b. Then ([s]=[£]) G E and so a must be a sort a since E is EFO. This contradicts 
Lemma 113.71 

Finally, we prove V a £(V a ). Case analysis. Assume s > ao f and V a s tf> C(\/ a )f. 

• £(Vq,)/ = 1. Then -i[Vq.s] G 22 and so by N3, £_,y and N2 we have -i[si] G 22 for some 
variable x : a. We know {x} is compatible by Lemma [6.51 (2) and so by Lemma [13.51 there 
is some a G Da such that x > a. Thus sx > 1, contradicting —>[sx] G 22. 

• C(\/ a )f = 0. Then [V a s] G i? and there is some a G Pa such that fa = 0. Suppose there 
are no a-discriminating terms. In this case o is empty and u> a for any u G A a . By N3, 
£y and N2 we have [su] G E for some normal EFO term u. Hence su \fi 0, contradicting 
s > f and u > a. Next suppose there are a-discriminating terms. In this case there is some 
u G a by Lemma 112.51 By N3, £y an d N2 we know [su] & E. In this case we also have 
su tjt> 0, again contradicting s > / and it > a. □ 

Theorem 13.9 (EFO Model Existence). Every evident EFO branch has a standard model. 
Every EFO-complete evident EFO branch has a standard model where each Da is countable. 
Every finite evident EFO branch has a finite standard model. 

Proof. We use the frame T> and relation > defined above. We give an assignment X into T>. 
For each variable x we can choose Xx such that x > Xx using Lemma 113.61 For each logical 
constant c we choose Xc = C(c). By Lemma 113.81 we know c>Xc. I is a model of E by 
Lemma 113.41 

Suppose E is EFO-complete. We prove there are only countably many a-discriminants 
as follows. If there are no a-discriminating terms, then is the only a-discriminant. Other- 
wise, every a-discriminant is nonempty by Lemma [12.51 For each a-discriminant a, choose 
some s a G a. We prove the function mapping a to s a is injective. Assume a, b G T>a and 
a 7^ b. By EFO-completeness of E and Proposition 16.41 we must have s a ^ Sb G E. If s a and 
sj, were the same term, then E would be unsatisfiable. Hence s a and Sb are different terms. 

Finally, if E is finite, then for each sort a there will be only finitely many a-discriminants 
(by Proposition 16. 3p and hence Da will be finite for all a. □ 

14. EFO Completeness 

Let J- be the tableau calculus given by taking all the rules from Figure [6] subject to the 
following restrictions. 

• If (s^t) is on a branch A, then J- FE can only be applied if there is no variable x such that 
([sx] ^ [tx]) G A. 
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• If -i\/ Q ,s is on a branch A, then J-^y can only be applied if there is no variable x : a such 
that —i[sx] G A. 

• If V Q s is on a branch A and there are a-discriminating terms in A, then Jy can only be 
applied with these a-discriminating terms. 

• If V a s is on a branch A, [su] £ A for all normal u G A a , some variable x : a occurs free 
in A and there are no a-discriminating terms in A, then Jy can only be applied with a 
variable x : a occurring free in A. 

• If V a s is on a branch A, [su] £ A for all normal u G A a , no variable x : a occurs free in A 
and there are no a-discriminating terms in A, then Jy can only be applied with a variable 
x : a. 

The idea behind the restrictions on Jy is that only a-discriminating terms should be used 
as instantiations, except when there are no a-discriminating terms. In case there are no 
a-discriminating terms, at most one new variable x : a will be used as an instantiation term 
for each sort a. These restrictions will ensure that J 7 terminates when given branches in 
certain fragments of EFO. 

From now on we use the term refutable to refer to refutability in the calculus T . That 
is, the set of refutable branches is the least set such that if AjA\ . . . A n is an instance of a 
rule of J~ and Ai, ... , A n are refutable, then A is refutable. The proof of soundness of T 
(see Proposition I5.1|) extends to show soundness of T . 

Proposition 14.1 (Soundness of J 7 ). Every refutable branch is unsatisfiable. 

An EFO abstract consistency class is a set T of EFO branches such that every branch 
A G r satisfies the conditions in Figure [5] and also the following conditions: 

If s ->■ t is in A, then A U {-is} or A U {t} is in V. 
C^_> If -> t) is in A, then A U {s, ->t} is in T. 

Cy If V Q s is in A, then A U {[su]} is in V for every a-discriminating u in A. 

Cy If V a s is in A, then ^4 U {[su]} is in T for some normal EFO term 
u € A a . 

C-y If -i\/ Q s is in A, then A U { -, [sx]} is in T for some variable x. 

We say an abstract consistency class T is EFO- complete if for all A G T and all normal 
s G EF0 either A U {s} £ T or A U {-.s} G T. 

Let Tjr F0 be the set of all finite EFO branches that are not refutable. 

Lemma 14.2. TW is an abstract consistency class. 

Proof. Similar to Lemma 19. 11 We only check the new conditions: C_>, C-,_>, Cy, Cy and C-y. 

C% Let s->ieie r| F °. Suppose A U {^s} g Tf FO and Au{t} ^ r FF °. By 7% we 
have j4 is refutable. Contradiction. 

If -.(s ->• t) G A and A U {s, ^t} £ r|- FO , then ,4 ^ rf- FO using the rule Jl,^. 
Cy Let V Q s G vl G r FF °. Suppose A U {[sit]} ^ T-j- for some normal a-discriminating u. 
Then AU {[su]} is refutable. Hence A can be refuted using Jy (with the restriction). 
Let V Q s G A G r FF °. If there is some a-discriminating term, then Cy follows from 
Cy. Assume there are no a-discriminating terms and A U {[su]} ^ Tj- for all normal 
u G EFO Q . In particular, [su] £ A for all normal u G EFO a . Choose a variable 
x : a occurring free in A (or any variable x : a if none occurs free in A). Since 
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t4u{[sx]} ^ Tj-, ^4u{[sx]} is refutable. Using F\/ (with the restriction), A is refutable. 
Contradiction. 

C^v Let —N a s E A E T^? . Suppose A U {-i[sx]} ^ r-7- for every variable x : a. Let x : a 
be fresh for A. Then A U is refutable and so A can be refuted using J-"-,y □ 

Lemma 14.3 (EFO Extension Lemma). Let T be an abstract consistency class and A E T 
be an EFO branch. Then there exists an evident EFO branch E such that A C E. Moreover, 
ifT is EFO- complete, a EFO -complete evident EFO branch E exists such that A C E. 

Proof. Similar to Lemma 18.21 Instead of using an enumeration of all normal formulas, we 
use an enumeration of all normal EFO formulas. The proof goes through when one makes 
some obvious modifications. □ 

Theorem 14.4 (EFO Completeness). Every finite EFO branch is either refutable or has a 
standard model. 

Proof. Follows from Lemma 114.21 Lemma 114.31 and Theorem 113.91 □ 

We now turn to compactness and the existence of countable models. Let Tq FO be the 
set of all sufficiently pure EFO branches A such that every finite subset of A has a standard 
model. 

Lemma 14.5. Tq FO is an EFO-complete abstract consistency class. 

Proof. Similar to Lemma llO. 21 □ 

Theorem 14.6. Let A be a branch such that every finite subset of A has a standard model. 
Then A has a standard model where T>a is countable for all sorts a. 

Proof. Similar to Theorem 110.31 □ 

Corollary 14.7. Let A be a satisfiable EFO branch. Then A has a standard model where 
T>a is countable for all sorts a. 

Proof. To apply Theorem 114.61 we only need to show every subset of A has a standard model. 
Let A' be a finite subset of A. Since A' is satisfiable, A' is not refutable by Proposition 114. ll 
By Theorem 114.41 A' has a standard model. □ 



15. Decidable EFO Fragments 

Given the completeness result for the tableau calculus T (Theorem 114. 4p . we can show 
a fragment of EFO is decidable by proving J- terminates on branches in the fragment. We 
will use this technique to argue decidability of three fragments: 

• The X-free fragment, which is EFO without A-abstraction. 

• The pure fragment, which consists of disequations s ^ t where no name used in s and t 
has a type that contains o. 

• The BSR fragment (Bernays-Schonfinkel-Ramsey), which consists of relational first-order 
3*V*-formulas with equality. 

Proposition 15.1 (Verification Soundness). Let A be a finite EFO branch that is not closed 
and cannot be extended with T . Then A is evident and has a finite model. 

Proof. Checking A is evident is easy. The existence of a finite model follows from Theo- 
rem MM □ 
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We now have a general method for proving decidability of satisfiability within a fragment. 

Proposition 15.2. Let T terminate on a set A of finite EFO branches. Then satisfiability 
of the branches in A is decidable and every satisfiable branch in A has a finite model. 

Proof. Follows with Propositions 114,11 and 115.11 and Theorem 113.91 □ 

The decision procedure depends on the normalization operator employed with J 7 . A 
normalization operator that yields /3-normal forms provides for all termination results proven 
in this section. Note that the tableau calculus applies the normalization operator only to 
applications st where s and t are both normal and t has type a (for some sort a) if it is not a 
variable. Hence at most one ^-reduction is needed for normalization if s and t are /3-normal. 
Moreover, no a-renaming is needed if the bound variables are chosen differently from the 
free variables. For clarity, we continue to work with an abstract normalization operator and 
state further conditions as they are needed. 

15.1. Lambda- Free Formulas. In |l5j we study lambda- and quantifier-free EFO and 
show that the concomitant subsystem of T terminates on finite branches. The result extends 
to lambda-free branches containing quantifiers (e.g., {V a /}). 

Proposition 15.3 (Lambda-Free Termination). Let the normalization operator satisfy 
[s] = s for every lambda-free EFO term s . Then T terminates on finite lambda-free branches. 

Proof. An application of J- FE disables a disequation s^ aT t and introduces new subterms as 
follows: a variable x : a, two terms sx : t and tx : r, and the formula sx^tx. The types of 
the new subterms are smaller than the type of s and t, and the new subterms introduced 
by the other rules always have type o or a. For each branch, consider the multiset of types 
<7T where s,t : or are subterms of formulas on the branch but there is no x : a such that 
sx ^ tx is on the branch. By considering the multiset ordering, we see that no derivation 
can employ J- FE infinitely often. 

Let A — > A\ — > A2 — > • • • be a possibly infinite derivation that issues from a finite 
lambda- free branch and does not employ J- FE . It suffices to show that the derivation is 
finite. Consider the new variables x : a which may be introduced by the Jy and T-y rules. 
For each subterm V a s at most one new variable will be introduced by these rules. Since 
the branches are A-free, no rule creates new subterms of the form V a s. Hence only finitely 
many new variables of type a are introduced. Let A n be a branch in the sequence such that 
no new variables are introduced after this point. Let S a be the set of all subterms of type 
a of the formulas in A n . Let B be the union of the three finite sets S Q , {^s\s £ S Q } and 
{s t\s,t G S a }. Every branch A m with m> n can only contain members of B. Hence 
the derivation is finite. □ 

15.2. Pure Disequations. A type is pure if it does not contain o. A term is pure if the 
type of every name occurring in it (bound or unbound) is pure. An equation s = t or 
disequation s 7^ t is pure if s and t are pure terms. 

We add a new property of normalization in order to prove termination. 
N5: The least relation >- on terms such that 

(1) asi . . . s n y Si if i e {1, . . . , n} 

(2) s >- [sx] if s '. o~t and x : a 
terminates on normal terms. 
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Proposition 15.4 (Pure Termination). Let the normalization operator satisfy N5. Then T 
terminates on finite branches containing only pure dis equations. 

Proof. Let A — > A\ — > A2 — > ■ ■ ■ be a possibly infinite derivation that issues from a finite 
branch containing only pure disequations. Then no other rules but possibly J- DEC and J- FE 
apply and thus no Ai contains a formula that is not a pure disequation (using S5). Using 
N5 it follows that the derivation is finite. □ 

15.3. Bernays-Schonfinkel-Ramsey Formulas. It is well-known that the satisfiability 
of Bernays-Schonfinkel-Ramsey formulas (relational first-order 3* V*-prenex formulas with 
equality) is decidable and the fragment has the finite model property We reobtain this 
result by showing that J- terminates for the respective fragment. We call a type BSR if 
it is a or o or has the form oi\ . . . a n o. We call an EFO formula s BSR if it satisfies two 
conditions: 

(1) The type of every variable that occurs in s is BSR. 

(2) V Q does not occur below a negation or an implication in s. 

Note that every subterm of a BSR formula that has type a is a variable. For simplicity, our 
BSR formulas don't provide for outer existential quantification. We need one more condition 
for the normalization operator: 

N6: If s : ao is BSR and x : a, then [sx] is BSR. 

Proposition 15.5 (BSR Termination). Let the normalization operator satisfy N5 and N6. 
Then T terminates on finite branches containing only BSR formulas. 

Proof. Let A — > A\ — > A2 — > • • • be a possibly infinite derivation that issues from a finite 
branch containing only BSR formulas. Then T-^ and J-~ FE are not applicable and all Ai 
contain only BSR formulas (using N6). Furthermore, for each sort a used in A at most one 
new variable of sort a is introduced (by the restriction on J-y in T) . Since all terms of sort a 
are variables, there is only a finite supply. Using N5 it follows that the derivation is finite. □ 

16. Conclusion 

In this paper we have studied a complete cut-free tableau calculus for simple type theory 
with primitive equality (STT). For the first-order fragment of STT (EFO) we have shown 
that the tableau system is complete with respect to standard models. Our development 
demonstrates that first-order logic can be treated naturally as a fragment of STT. 

For the EFO fragment we gave an interesting restriction on instantiations. In particular, 
one can restrict most instantiations of sort a to be a-discriminating terms. Such a restric- 
tion can also be included in the tableau calculus for STT without sacrificing completeness. 
Confining instantiations to a-discriminating terms is a serious restriction since each branch 
has only finitely many such terms. 

Automated theorem proving would be a natural application of the tableau calculi pre- 
sented here. When designing a search procedure one often starts with a complete ground 
calculus (like our tableau calculi T and T), then extends this to include metavariables to 
be instantiated during search, and finally proves a lifting lemma showing the tableaux with 
metavariables can simulate a refutation in the ground calculus. A design principle of our 
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calculi T and T is that none of the rules look deeply into the structure of any formula on 
the branch. For example, consider the mating rule 

XS\ . . . S n , ~iXt\ . . . t n 

; — i i ; — n > 

si T ti | • • • | s n ^ t n 

To check if this rule applies to two formulas s, t on the branch A, one only needs to check if 
s has a variable x at the head and if t is the negation of a formula with x at the head. When 
trying to prove a lifting lemma, we would need to show how the calculus with metavariables 
could simulate the mating rule. This may involve partially instantiating metavariables to 
expose the head x in the counterpart to s or the negation and the head x in the counterpart 
to t. On the other hand, suppose our ground calculus included a rule to close branches with 
a formula of the form s ^ s. To simulate this in the calculus with metavariables we would 
need to know if some instantiation for the metavariables can yield a formula of the form 
s ^ s. In the worst case this is a problem requiring full higher-order unification. We have 
been careful to only include rules in our calculi which will not require arbitrary instantiations 
of metavariables to prove a lifting lemma. Formulating such a calculus with metavariables 
and proving such a lifting lemma is left for future work. 
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